CVE-2020-8150
CVE-2020-8150 is a medium-severity vulnerability in Nextcloud Nextcloud Server with a CVSS 3.x base score of 4.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-311.
Key facts
- Severity: Medium (CVSS 3.x base score 4.1)
- CVSS v2: 1.9
- EPSS exploit prediction: 0% (20th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-311
- Affected product: Nextcloud Nextcloud Server
- Published:
- Last modified:
Description
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
Frequently asked questions
- What is CVE-2020-8150?
- A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
- How severe is CVE-2020-8150?
- CVE-2020-8150 has a CVSS 3.x base score of 4.1, rated medium severity. It is exploitable over local access with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2020-8150 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-8150?
- CVE-2020-8150 affects Nextcloud Nextcloud Server. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-8150?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-8150 published?
- CVE-2020-8150 was published on 2020-11-09 and last updated on 2026-06-17.
References
- http://seclists.org/fulldisclosure/2020/Dec/55
- http://seclists.org/fulldisclosure/2020/Dec/57
- http://seclists.org/fulldisclosure/2020/Dec/58
- https://hackerone.com/reports/742588
- https://nextcloud.com/security/advisory/?id=NC-SA-2020-039
Affected products (1)
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
More vulnerabilities in Nextcloud Nextcloud Server
- CVE-2021-22915 — Critical (CVSS 9.8): Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6…
- CVE-2021-32802 — Critical (CVSS 9.3): Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user…
- CVE-2023-26482 — Critical (CVSS 9.0): Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed…
- CVE-2021-32688 — High (CVSS 8.8): Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific…
- CVE-2018-3775 — High (CVSS 8.8): Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user…
- CVE-2023-35172 — High (CVSS 8.7): NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity…
All CVEs affecting Nextcloud Nextcloud Server →
Other CWE-311 (Missing Encryption of Sensitive Data) vulnerabilities
- CVE-2023-6339 — Critical (CVSS 10.0): Google Nest WiFi Pro root code-execution & user-data compromise
- CVE-2023-4420 — Critical (CVSS 9.8): A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of…
- CVE-2023-0750 — Critical (CVSS 9.8): Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface. When the device can be…
- CVE-2020-15331 — Critical (CVSS 9.8): Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess.
- CVE-2019-3431 — Critical (CVSS 9.8): All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have encryption problems vulnerability. Attackers…
- CVE-2019-12924 — Critical (CVSS 9.8): MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be…
Browse all CWE-311 (Missing Encryption of Sensitive Data) vulnerabilities →